Access Manager Error: "all replicas are not responding"

  • 3066352
  • 09-Feb-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Linux Access Gateway
NetWare 6.5 Secure LDAP server
Cisco PIX firewall

Situation

Access Manager 3 Interim release 1 applied (nam3ir1.tar.gz)
Novell Identity Server (IDP) and Access Administrator on same host in DMZ
Secure LDAP server, containing IDP user store, is located on a private subnet
Cisco PIX firewall filtering requests between IDP server and secure LDAP server
Cisco PIX firewall NATing requests

When the IDP server is initialised or a user tried to login to the IDP server, the login request to the secure LDAP server will fail. The health check screen of the IDP server will display that the replica on the secure LDAP server is not responding. Doing a standard, non secure request to the LDAP server works fine and the replica is reported as up.

Resolution

Bypass the PIX firewall, or use standard LDAP to go through it.

By taking a LAN trace on the IDP server and secure LDAP server, one could see that the response to the simple LDAP bind request never appeared to arrive at the IDP server. Using the private key to decode the LDAP trffic, one could see that this 'success' response was sent to the PIX firewall by the secure LDAP server however. The PIX firewall appeared to be 'touching' the response and this'success' response to the LDAP bind was never sent out the IDP server interface of the PIX firewall.

Additional Information

No expertise or support for the PIX firewall existed at the customer site and it was decided to just route the secure LDAP requests directly to the server instead of through the PIX.